Releases: brompwnie/botb
Keyctl Pwnage Addition
In this release, the following is addressed:
- Added @initree's Keyctl pwnage to extract entries from the Linux Kernel Keyring (https://www.antitree.com/2020/07/keyctl-unmask-going-florida-on-the-state-of-containerizing-linux-keyrings/)
- Modified the new Keyctl code to be multi-threaded to make use of Go workers to speed up enumeration
botb-linux-amd64
SHA256 3aae4a2bf41aedaa3b12a2a97398fa89a9818b4bec433c20b4e724505277af83
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.8.0/botb-linux-amd64" -o "botb-linux-amd64" \
&& chmod +x botb-linux-amd64
botb-darwin-amd64
SHA256 0abdd4ae3ef75cd0315be79dc7d1222400bb87981469d907deb3c79d814d9747
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.8.0/botb-darwin-amd64" -o "botb-darwin-amd64" \
&& chmod +x botb-darwin-amd64
botb-linux-386
SHA256 e397f414864c25abe51f23baba44d3698ca284fe9a80bf5cfe0085c6b4a9b18c
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.8.0/botb-linux-386" -o "botb-linux-386" \
&& chmod +x botb-linux-386
botb-darwin-386
SHA256 8f75ac76d5e627c71af054793a3fd7ca7178b9547811be4c60a7825c41a6cd52
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.8.0/botb-darwin-386" -o "botb-darwin-386" \
&& chmod +x botb-darwin-386
K8's Secret Pwnage and Refactoring
In this release, the following is addressed:
- Started the code refactor to split code between utils.go and lib.go
- Added the ability to detect mounted Service Account tokens in Kubernetes cluster
- Added the ability to verify if detected Service Account tokens work against the Kubernetes API
- Cleaned up some duplicate and shitty code
Below are the BOtB binaries for multiple platforms and their corresponding SHA256 hashes.
botb-linux-amd64
SHA256 34838b2b1170d43fa21a49b506d58e4335f56bde2658b4a18d1cda93fe1ed5f8
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.7.0/botb-linux-amd64" -o "botb-linux-amd64" \
&& chmod +x botb-linux-amd64
botb-darwin-amd64
SHA256 f58f4b895c6c8e3b1d3eaf5b71cc986afb2fe82e56f0e507ac0911a112b80619
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.7.0/botb-darwin-amd64" -o "botb-darwin-amd64" \
&& chmod +x botb-darwin-amd64
botb-linux-386
SHA256 6ce0dca4b6a22b705f46c1b916980ae19aa7e1ee47a76992809600be6697be58
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.7.0/botb-linux-386" -o "botb-linux-386" \
&& chmod +x botb-linux-386
botb-darwin-386
SHA256 4dfe3f7b538168e365cd2bf50f1b232e8dc01752119575812c0ab1a1c3498849
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.6.0/botb-darwin-386" -o "botb-darwin-386" \
&& chmod +x botb-darwin-386
Bug fixes and Refactorings
In this release, I addressed the following:
- Fixed a bug in the pwning of privileged containers
- Added more informative error output
- Cleaned up some duplicate and shitty code
Below are the BOtB binaries for multiple platforms and their corresponding SHA256 hashes.
botb-linux-amd64
SHA256 2477a6b1268d6a6bed56ddef49e37389d2a78a8d278e50df937764a12ec60efe
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.6.0/botb-linux-amd64" -o "botb-linux-amd64" \
&& chmod +x botb-linux-amd64
botb-darwin-amd64
SHA256 ac3da01cbb647607ad67345ab19eba6337fb28a29cab193a0699589cf5bd5ae1
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.6.0/botb-darwin-amd64" -o "botb-darwin-amd64" \
&& chmod +x botb-darwin-amd64
botb-linux-386
SHA256 08289ba6a413a34d98c787c038b8b94f501344550d9c4f1cc76b07618ed64c1a
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.6.0/botb-linux-386" -o "botb-linux-386" \
&& chmod +x botb-linux-386
botb-darwin-386
SHA256 9e85c9388b2246abffabe352d02b4d8913db379eb1e3eaf1c6785c4604e0d30f
curl -fSL "https://github.com/brompwnie/botb/releases/download/1.6.0/botb-darwin-386" -o "botb-darwin-386" \
&& chmod +x botb-darwin-386
YAML Config support added
In this release I've added the support to drive BOtB from a YAML config file. This is useful in certain situations where CLI params are not ideal. Some minor bug fixes and refactoring as well.
Example Usage:
YAML config file cfg.yml
payload: id
verbose: false
always-succeed: true
cicd: false
endpointlist: endpoints.txt
wordlist: wordlist.txt
path: /
mode: find-sockets
Running BOtB with YAML config.
./botb -config=cfg.yml
[+] Break Out The Box
[+] Loading Config: cfg.yml
[+] Looking for UNIX Domain Sockets from: /
[!] Valid Socket: /tmp/thisisnotasocket.mock
[+] Finished
Update to Autopwn TTY
In this release, I have changed the Docker command that is used to provide the autopwn TTY. This was inspired by this article, https://zwischenzugs.com/2015/06/24/the-most-pointless-docker-command-ever/.
The new autopwn command now provides a TTY which has access to the host's network, pid and ipc namespaces. For example, previously if you ran the command "ip addr show", you were given the containers network namespace but now you will get the hosts network namespace etc. This addition provides your autopwn shell with moar info about the host.
Always Succeed Release and Minor fixes
In this release, the following has been added:
- Ability to force BOtB to always return an Exit Code of 0(zero) via the -always-succeed flag. This is a feature request from the following issue #3
- Minor flag updates i.e find-http and pwn-privileged
Blackhat Arsenal Release
In this release, the ability to break out of Privileged containers has been added via the -pwnCgroup option. This feature exploits the CGROUP release agent functionality described here https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes.
New features and enhancements
In this release, the following has been added
- The directory /usr/sbin has been added to the list of directories to hijack binaries from
- Ability to scan for UNIX Domain Sockets that respond to HTTP requests
- Ability to scrape all the legacy metadata from the GCP metadata instance
- Ability to push data to an S3 bucket
Initial Release
This is the initial release for BOtB and provides the following:
- Find and Identify UNIX Domain Sockets
- Identify UNIX domain sockets which support HTTP
- Find and identify the Docker Daemon on UNIX domain sockets or on an interface
- Analyze and identify sensitive strings in ENV and process in the ProcFS i.e /Proc/{pid}/Environ
- Identify metadata services endpoints i.e http://169.254.169.254
- Perform a container breakout via exposed Docker daemons
- Perform a container breakout via CVE-2019-5736
- Hijack host binaries with a custom payload
- Perform actions in CI/CD mode and only return exit codes > 0